How 2FA Can Help Tesla Cars Stay Secure
There is no denying that the era of electric vehicles is upon us. These vehicles become evermore capable with new features and improvements being delivered via over the air software updates. As software-centric vehicles become more ubiquitous one question has been left unanswered. How do we protect them as individual owners and at scale for organizations?
Perform a quick Google search of Tesla MFA and you will find that many Tesla vehicle owners have requested the ability to protect their Tesla accounts, which controls various car features, with some form of MFA (multi-factor authentication). It may sound like a dystopian future in which your car can be digitally compromised or remotely controlled — but the truth is that this is a reality in today’s world.
In 2019 alone, Tesla delivered close to 368,000 vehicles to customers, officially making it the leading electric vehicle manufacturer. Other electric vehicle manufacturers provide similar remote control capabilities of the vehicles through mobile applications as well. This remote control feature works very similar from a network communication standpoint by leveraging API’s built for each vehicle type.
Reverse Engineering Telsa’s API is Possible
As with other technologies, if you understand the software architecture of the target and have the appropriate credentials to execute commands, then you are in control of that target. Tesla, for example, does not grant users access to their API, so consumers might think that security through obscurity is enough. However, there are many people with the skills necessary to reverse engineer APIs in today’s technology driven culture.
While obscure to many Tesla owners, teslaapi.io is a website dedicated to doing just that. Through their research they have deconstructed the commands necessary to achieve things like unlocking doors, setting a speed limit and stopping charging. This combined with phished credentials poses the threat to software-centric vehicles.
Customers Are Asking for MFA for Tesla Accounts
YouTuber Alex Venz even goes as far as demonstrating how to unlock and drive away in a Tesla in this video:
Tesla CEO, Elon Musk, acknowledged customer’s request for greater security in May 2019 with this tweet:
Elon followed up on this comment in November of 2019 with this tweet:
On his most recent tweet on the subject, he explains that a solution is on the horizon:
With time, we are certain that Tesla will deliver MFA Security as it has for other customer requested features, but until then the security gap still exists.
How Duo’s MFA Helps Software-Centric Cars
There are many security and user experience complexities that can come into play when deploying MFA at scale to an established user base. Duo is a leader in the industry not only for its world-class product — but also for the ability to make the user experience as easy and intuitive as possible.
Ease of use will be the leading factor in adoption and reception when Tesla deploys MFA to its consumers. As noted by user Pueo in this Tesla Motors Club forum thread, “Hopefully 2FA happens in a timely fashion”
On the other end of the spectrum, Porsche’s recently released Tycan shares similar remote control features with an added cost service they call Porsche Connect. The security layer requires an owner to register via a website and obtain an activation code before being able to register their mobile device for remote control. While the website itself implements MFA via SMS for first time logins, the process is cumbersome and does not directly protect the vehicle, but rather the service which makes remote control possible.
Individual owners might not find this security gap concerning but organizations that use these vehicles as part of their business will seek to protect their assets. We hope to see the reach of these vehicles expand to ride sharing and rental services in the near future. With that comes a new perspective on the ability to manage these vehicles. Organizations go through great lengths to protect their digital infrastructure, and we believe that electric vehicles will soon fall into that category.
As Jim Simpson, Director of Product Management at Duo put it, “What are the security implications of having a fleet and how do you manage that?”
We believe support for MFA is a good starting point in protecting these assets, but that will only be the beginning of the security journey for software centric vehicles and the organizations which leverage their incredible technology.
UPDATE: At the time of this writing it appears Tesla has just added 2FA.
Try Duo For Free
Sign-up for a free trial to experience the product and see how Duo can give you deep device visibility and get started with Device Trust.